Apple Patches Widget Malware Hole in Tiger

Apple Patches Widget Malware Hole in Tiger - 05/21/0510:29 AM

Apple Computer Inc. has quietly patched several security holes in Mac OS X 10.4, also known as "Tiger," including one that allows potentially malicious widgets to be downloaded and installed into Dashboard.

The security patches were released as part of an OS X 10.4.1 update earlier this week, but the company has only just released details of them. The update patches four security holes, the most well-known of which is the problem where widgets—small applications working in the software's Dashboard system—could be downloaded and installed without any specific user confirmation. Under 10.4.1, automatic installation of Widgets is blocked, and users must specifically approve the installation of each Widget.

Although several Web pages appeared that demonstrated how widgets could be installed without user intervention, there have been no reports of malicious widgets being found in the wild. However, because widgets can execute code—including shell scripts—outside the Dashboard environment, the ability for widgets to be downloaded and installed simply by clicking on a Web link looked like a potential route for malware on the platform.

Also patched is an issue with Bluetooth file exchange support, which could potentially be used to access files outside the default file exchange directory, allowing Bluetooth devices access to files throughout the system. The update also patches a kernel issue that could reveal the names of files that would normally be hidden from a user through two system calls designed for searching, as well as a second kernel problem that allowed a potential denial-of-service attack via a vulnerability in the nfs_mount() call.

In addition, Apple has fixed an issue with locked screen savers, which had previously allowed any user with physical access to the machine to open URLs without having to type a user name or password to unlock the system.

Despite the widgets issue, which received a large amount of attention on its discovery shortly after Tiger's release, Apple has had praise from analysts for its approach to security issues. Although several analysts cautioned that the company's growing market share may see it garner more attention from hackers and virus writers, Peter Kastner, director at Vericours Inc., claimed that "so far Apple has been able to keep up with—if not a step ahead of—the bad guys."